Skip to main content
9:00 am
we didn't really -- the embassy at damascus have not had a chance to really get to know the opposition and sort of where the energy was in this whole revolutionary process. and so the training and equipping that we did of nonlethal assistance to the nonviolent opposition allowed us -- has allowed us over the last year to really broaden the u.s. knowledge of what's going on in syria, who the key players are. and i think if you end up, if you're getting close to a circumstance where there might be either rationalized or let's call it a highly decentralized result to the conflict, then you really want to know 100 people. you don't want to be dependent on just walking a white horse down main street at damascus and hoping that some leader jumps on and we go. so this is the kind of sort of ground, foundation building that you have to undertake and that
9:01 am
we've done. >> could you tell us something a little more specific about how you're actually doing that? do you know 100 people in aleppo? you've got a team of 200. are you able to get people on the ground, work with others? >> sirree is a really good challenge, because you have to work out of a third country, which has its own for distinct feelings about what's going on inside of syria and what it might mean to them. so we're working -- up until the last two weeks, we have worked exclusively in turkey. and then we, now we started to work in jordan as well. that happens to be, not the internal bureaucrats are that important, but that happens to be two geographic bureaus and different sets of ambassadors, and so again, i don't want to overstate the sensitivity of that, but that's -- that's part of what we have to do.
9:02 am
so what we've done is, the answer is yes, we do know a hundred people enter into, but what concerns me, but all of them have had to come across the border, and we've essentially been running, helping to provide equipment for them but also training sessions and how to work equipment safety and also on some government issues. but we still have a lot more work to do in terms of getting to know more syrians and getting to know the ones that we do know much better. because, for example, if you do a fading exercise where you try to, want to make sure they're not terrorists at the same time, as they say the there are frienf ours, which is another part of our process. that doesn't actually tell you much about how capable they are or what you can do with them. >> and i believe you're going in a few weeks to burma. what are you hoping to get done there? >> the u.s. policy in burma, we try to anchor ourselves with u.s. policy, and that seems a
9:03 am
good place to start rather than inventing it. and so we think the u.s. policy in burma is pretty clear. that we want to open the place up, or want to do with the long-standing ethnic disputes, and we want to do business. and we think the cyclone is probably the most delicate one. >> i was going to ask -- >> because that's the one we are on. >> what can you do? >> it has been very delicate and it's been very sensitive because the burmese seem to be been quite nice on their own towards the first and third targets, and this is the one that is most uncomfortable. so we tried to find a subject matter that might breed dialogue between the parties. and the subject matter that we've settled on has been landmines because it turns out that neither side really likes landmines and the results of them, yet there are plenty of them out there.
9:04 am
so in two of the most conflicted areas, we are working with both parties to hopefully bring them together around the subject of landmines, feeling that it is progress on that, then the richer discussion will follow. so that's the way we are going at it. and can you give us maybe some thoughts on afghanistan, where there are problems from corruption to the violence to the -- are you involved at all with that? >> we had our largest operation was in afghanistan, but in the course of last year, we have reduced it dramatically. we had about 30 people there, and we are now down to about four, partially because we felt that the withdrawal was -- the transition was the largest issue, and we should probably do our part to get out as well as we could. and so all of our people are now
9:05 am
working on essentially the transition plan. so they're doing planning for the embassy and the military on the next steps. that's all that we have left in the country right now. i just had a conversation with somebody the other day, and they said, gee, what you're doing in the kenyan election, maybe you would think about doing in the afghanistan elections. so we are just speeded what are you doing in the kenya elections? >> well, i think as all of you know, four years ago kenya really lit up as a result of the political leadership, essentially stoking the public and a lot of youth, to the point where several thousand people died, and several hundreds of thousands of people left their homes, and it really got out of control. and so that's the focus of what we're doing. i think what the embassy had asked us to do was help us drive all of our attention to the election related violence, because if that happens again it
9:06 am
will be by far the worst thing that could happen to kenya. so we felt we are on the right issue. now, what could you possibly do? we felt that they would be a great deal of attention provided by the u.s. and other international partners to the election -- to the logistics of the elections. in a way, it's both a flattering and in a way it's a bit of an industry that the there are a lot of people who know how to do elections. and even though almost every election has ballot problems and delayed, delays, we still now seem to find the finish line. so we felt that the work, the greatest problem was if there was violence, who would check it? kicking a -- kenya is going through a period of amazing reform right now. they've got a new constitution, they got commissions for virtually everything under the sun. it's almost over reform in the sense that it's got too much for the body politic to absorb at
9:07 am
the same time. and the police reforms happened to be lacking behind. now, we had to make an assumption that the police probably would not be in shape to do what we do, what we would hope they would do. and standing and believing that point we didn't think was particularly smart either. so what we've tried to do is to find ways of using an amazing network that the u.s. government, aib, state department and others have already gotten under way for fighting aids, for horticulture programs, for a series of initiatives that are ongoing in place. how do you take that essentially apolitical mass of people and engage them in the election related process? so we had a conversation in the rift valley. there were 14 people there. rather than having each of them tell us the wonder of the programs, we have a conversation that got right to the question.
9:08 am
what worries you most about your country this year? election related violence. are you doing as much as you'd like to be doing to combat that? no. would you like to be more engaged? yes. is there anything that you think you could bring to this that might be helpful in terms of an early warning system, in terms of making the police were capable, in terms of checking how the election is going? the first person to speak was a man running our culture program, a kenyan, and he said i don't know if i can help, but, because i've only got 4000 kenyans in this area who are part of my program. my amy about was, you could get elected governor of any state but texas with 4000 people as your base, right? [laughter] the next person to speak was the person running the aids program. and he happened to say, well, we have several hundred thousand households that we visit in this region every week. so we said, okay, what would
9:09 am
take for you to bring your assets to this charge? now, aig already had a wonderful yes, you can initiative, which is literally tens of thousands of youth engaged in the election process. so combining these people come and for catholic bishops who had refuse on their land and they were already involved in a. so is really a question of how do you bring these kenyans to the next level of capacity. and the one thing they said was, we need to come together right away. and secondly, if you helped us get some local kenyan staff to take our asset and put it to this use, we will continue to our day jobs, but this will be -- so a whole champions of peace initiative was started in the rift valley. something like it in the coast. we're still very, very weird about places like the slums of nairobi, which are tougher. but anyway, i think it will make a difference at the very, very,
9:10 am
very least, there will be thousands of kenyans who are more involved in a political process and they would have been. they would've been spectators, and now they are participants. and i believe that can only he help. >> thank you i'm -- >> long answer. >> that's quite all right. i think i'm going to open up the floor to questions. please wait for the mic. state your name and affiliation. keep your questions brief. >> and if you're a friend, keep your questions friendly. [laughter] >> yes, and keep your questions extremely friendly. yes. >> i must tell you i'm terribly impressed. it doesn't happen often. i mean, we're going to focus. we're not going to jump in with both feet. were going to let the locals to some of the work -- >> we are trying, we're trying. >> [inaudible]. my question is when are we done? >> when are we done?
9:11 am
>> yeah, because once you're in state if it's not make them into a switzerland? i keep hearing were not going to make them into switzerland, but i never hear what we're going to make them into. romania? lebanon? where are we going? >> yeah, thank you. i've enjoyed your work over the years, so thanks for your compliment. i'll take it as -- i hope there was no sarcasm in it. just a touch. well, in a case like kenya, for example, we're done probably a month after the second, if there's a runoff election, after the second round. but i don't believe that in every case it's that clean and simple. we will likely be involved in syria for maybe six months after the change in regime, but we believe that we will help to get things started and really create the opportunity. and it should fit into sort of
9:12 am
other opportunities the u.s. government and the international community see in this place. in a place like honduras right now, there are certain elements of the work that we've done that already finished because they were looking for the kind of emergency help with prosecutions. the issue there was this explosive homicide rate and the loss of government control and a total loss of public confidence, quite a few things, but they were tied to the highest homicide rate in a non-conflict zone in the world. and so we did give him some initial emergency help to bring some prosecutors and some homicide investigators because they didn't have enough of those in place. but that part of the program has already ended really, and what we have tried to move on to his local initiative that we believe are quite promising, including a national tax on the basis community to make the country
9:13 am
safer, something that took considerable legislative action, but the likelihood that it's going to be implemented particularly will is not that great. so how do you try to build a success out of a nice idea that might or might not work? so those are -- but we can see -- i mean, we say zero to one year because that's the biggest window and nobody else is, that's not overpopulated by u.s. capacity and capability. but i also just -- but it's not religious. it's a period that we can extend it as, for six month or a year as needed, but it should make us be more urgent to really drive the exercise. we find that one would bring urgency to almost any discussion inside o of the u.s. government, it's a constructive thing to do.
9:14 am
>> i'm well from dyncorp international. there are a number of areas in the u.s. government that look at failed and failing states that the undersecretary for political affairs has the responsibility of state, that there's the cia's failed, failing states index and the nsc chairs or used to chair an interagency coordinating committee to look at failed and failing states. how does cso playing the? >> first off, we tried to work and less play with everybody that you mentioned because we really want to be, we want to be aggregators of talent and good work that's going on. for example, even something as simple as, seemingly as simple as analytics, we have a metadata analyst in our shop now. but we don't want him to -- will
9:15 am
have to be an aggregator of aggregate. i keep saying to them, you've got to be made richard -- nate silver on steroids because, we can't possibly run in of stuff three years, sleep got to go to it turned out the intelligence community loves being called by the state department. i mean, they are flattered by. they want to have their work respected and called upon. and so it's not hard. and it's the same with the military community. oftentimes, there may have been times when the state department has not been as friendly a door as it could be to those other partners. and i think in particular when you get to something like the policymaking, there's been kind of the secrets when the, sort of like kentucky fried chicken. you have to go in the background, and nobody can tell you what the elements are. and i happen to believe that the process should be widest at the
9:16 am
beginning and then narrowed down, rather than being now at the beginning and hoping everybody's going to jump on board. so that's the way we're trying to do it. >> each time a given into, it's 10 times more hands go up. so i'm obviously not clarifying. [laughter] >> i want to hear about how the intelligence community loves being called by the state department spirit pauline baker, the fund for peace. i'm also impressed a that the process that you got through, and particularly it being catalytic in terms of the bureaucratic politics of it, not just bureaucratic in terms of impact on the ground. i have something of a concern about the short-term horizon. you said the wind was zero to one you. the real problem with failed and failing states are that there are deep-seated structural issues. and if you're really going to get to the heart of najaf have a longer-term strategy of some sort. and even if he uses the example of kenya, for example, sure, everyone's concerned about the elections, but one of the problems we've had in the path
9:17 am
is that we focus on elections and then go home and think everything's okay, and it's not. so how do you get to the next stage of what you were doing? where you really get to some of the fundamental underlying drivers of the failing states rather than just the triggers? >> right. i think, i hope, and my answers, but even more so in our work, that we are touching on those issues right at the front, at the front end, and we are not just running to an election process but we are really going at the core issue of, in particular, in a place like kenya, of surrounding the political elites so that they don't have the room to instigate violence around the country. so it's basically, the bigger idea of getting all these people in flight is that they will not only came ious but they will let the political candidates know that the space that they are operating in is shrinking
9:18 am
dramatically every day in terms of how they can't incite the public. so it starts with precisely the behaviors of the political elites in the country. but you have to figure out how you check it, because in a place like kenya, you've got a wonderful press, you've got a very rich civil society, you i shall have some rule of law. a lot of things are going on the don't exist in other places. but there's been something that has been used over and over and over again through the decades, and it tends to -- at least our analysis has been, tends to come back to a few players who have been acting highly irresponsible a, and they are trying to limit the political dialogue to one of tribal divisions as opposed to how the country is run and how it should be run looking forward.
9:19 am
but, so it's not -- the second part of the answer is there are many, many parts of the international community, including the u.s. government, that actually, they are there supposedly to play the longer game. and in some cases it takes them two years to get the, three years to get the, but that's what most of the money is. there happened to be two places where the money sits in our system. wind is in the instant emergency and other is in the longer-term play. and in between, we haven't done that good a job, and i don't think we've even done a good job of getting started in the right direction. and if we get these programs, somebody is working on a stark warning about the political elites, they're going to be much more effective in terms of what to do with the aids program as well. we are thinking about it. icy with the u.s. government needs to do is to be much more affected on the problem, and would at the beginning of the vector, okay? and what we do should fit inside of this vector and it should be highly catalytic.
9:20 am
but we are not responsible for the whole ride, nor is any part of the international community. it's got to be a country bette, so i think there's been a paternalistic mindset as well which is a whole nother issue, but the we've come in and said okay, we want to fix this please. at the end of the day, it's probably like having an alcoholic relative. you have to help out where you can, but let's keep it on focus. that's not easy, by the way, because we have a lot of wonderful things we do, like we do. >> i have a question that the follow-up to that question on rule of law. you mentioned rule of law and failure of rule of law in failed and failing states, and the real problem with lack of governance. to what extent on the business and economic development and creating or helping them create a better economic environment, to what extent do you get
9:21 am
involved with that type of work? because there's a lot of seeding projects you could do in the area which could have real long-term implications, especially in a country like honduras. >> sure, sure. i'm not sure this exactly answering your question, but we see the business community as being a huge area of opportunity that hasn't really been called upon as aggressively as it should be in these kind of cases, and so we're trying to do that. out of skid a couple quick examples. we had dinner one night when i was in mambazo, and the general manager at a hotel, the general manager at the hotel said something like and he had 684 rooms fro, and during the last d of violence he had eight guests in his room -- in his hotel. so he was very attuned to a radically things could change if not managed well. in honduras this attacks on the
9:22 am
business community has to be collected fairly. already there are signs that the collection is dropping. the collection rate is dropping or the compliance rate is dropping. it has to be spent wisely. there are signs that it could be used as a slush fund by key political operatives. so these are the kinds of challenges that, but the business community can't afford to privatize their entirety to the operation in place like honduras, which is what effectively people do. and then when you have totally privatizing today operations, such as oil compounds, they, too, are not immune from the kinds of disturbances we are seeing. so we've got to think about this in a much more sophisticated way. and these people have a huge interest and a huge investment,
9:23 am
and they haven't been necessary for doing. they are taking care of their own as opposed to the societal plan, ends with that figure out how to engage them more broadly. but we are keeping that in mind everywhere. >> doug feith from hudson institute. rick, your bureau is an outgrowth or an evolution from the office of the coordinator for reconstruction and stabilization. how would you describe any differences between your bureau's mission and what was the original concept of the office of reconstruction and stabilization? >> i'm probably not the best historic do i know i've got some people who work for me who could probably do a better job. but what i could say is that when i was offered this job by secretary clinton, the prior
9:24 am
office had lost the confidence of key players on capitol hill and others in the u.s. government. so i just thought it was a chance to start over. and i think that probably a lot of what we are doing was originally -- was in the original conception. and we've tried -- i'm trying not to throw the baby with the bathwater, probably nobody said that since the grandmother died, right? i don't know why that phrase came up. >> perfectly good phrase. >> so my feeling is that i think the original intent was to be strategic and to have a policy influence. and didn't i think when it went through its middle stages as a coordinator it had lost, it never gained traction in the state department. and so then went into a kind of a supplier of people come which i thought was too limited. so we try to recapture that and
9:25 am
want to be part of a policy conversation. we've been very fortunate to have a dynamic support of secretary clinton for the first year of our existence. and now what we're finding is, i've only been in a handful of meetings with secretary kerry, but he never went to the meetings, every one of the meetings, he has said bringing ideas. get me some out of the box thinking. we've got to find another way of doing some of these things. and i'm hoping that our bureau can be a very aggressive supplier of ideas and of different ways of doing things. and that what i think, i think the come up with good ideas we will have influence on policy, we will be invited to the right meetings, and we'll be seeing as a valuable instrument of change for u.s. foreign policy. and i know that's the case with the embassies that we are
9:26 am
working with. a lot of you, i mean, i don't know how many of you work in the state -- how many of you have worked in the state department? [laughter] i'm probably not speaking a totally foreign language your to you, but you would understand that we've got to do it one day at a time, and occasionally with a big idea. but one day at a time is probably -- this is kind of a digression, but about two or three months ago when it was kind of in a relatively stressful time in this job, i thought, why am i doing this job? and then i thought i might've wanted and a lot of people don't have the i'm the youngest of three brothers. that means for the first three years of my life, the first 12 years of my life, i had an undefeated losing streak. i lost every time i did anything, i lost. for 12 years. my favorite line was always let's play again, let's play again, let's play again. and i can tell you i got about a 50 year winning streak on my middle brother right now in
9:27 am
tennis. [laughter] you can get to that point. that's the sort of way you got to do at the state department. you've got to be there every day. it's persistence. >> i'm from northrop grumman. i like what george is saying about new ideas, and i think there's a place just a couple miles from here with a deadlocked government that could use some new ideas, but -- that your bureau might provide. just kidding. >> i'm sure we won't be invited. >> my question is, how well sequestration affect your bureau? >> well, we've made a lot, a lot, a lot of administered changes. we've actually restructured 40% of our budget in the last year. and part of that is agreed more liquidity and not just to sit on people. so i think we're probably better positioned than some, but we're
9:28 am
actually -- were not particularly well-funded but i think secretary kerry actually even mentioned this in his speech today at the university of virginia, and he said something like, i was watching it so i've been told is, that he said, i get $60 million for conflict and stabilization, which is what apparently was spent to produce the avengers, the movie the avengers. suite said something about us -- about us being superheroes. there does come a time. all of you again work in the state for the you know that having a liquidity, good ideas is great, but liquidity is also important. it's something i did talk to secretary clinton about when i took the job, that i just like to be able to go to any ambassador and said i got a couple million bucks in my pocket. but also it's important for the people that work for our bureau the they go out and they think they've got a million dollar credit line for the taxpayers. so they're forced to be created. otherwise it's like, i don't
9:29 am
have any money, i don't have the time, i don't have enough people. but you got a million dollars, if you've got a good idea, call. we still need to activate the phone a little more. we've given them that license. >> there's a movie in this spirit i want to recognize steve morrison who helped to start odi and was one of the founders of it. >> dave, where are you? >> yes, in the back. >> thank you. i'm with voice of vietnamese americans. congratulations to your new position, and congratulations to the new winning streaks, and we hope to continue lasting for your. >> i hope my brothers not watching c-span last night. >> you state from the beginning, you mentioned focus, and you also mentioned we have to listen to the silent majority. and so president obama and
9:30 am
secretary clinton have both refocused or rebalance their focus to asia-pacific, even though we've only rebalance. and you said that you work with burma. so my question is to what southeast asia and what you share with, your vision of how to build capacity for burma and how to build burma up so that next year we think, burma will be the chair of asean, how to build asean up to the centrality role and how to work into that the code conduct and the rule of law in the southeast asia see? would that help to resolve some of the complex that we are concerned about? >> i think it would, for sure. i have to say that since i had a chance to visit burma myself yet, i probably less conversant with it that i am with the other major cases that we're working
9:31 am
on. that clearly, there is plenty of opportunity for progress in this space, and i think that's, and the u.s. policy is really trying to drive it. in terms of the rest of southeast asia, we, right now as we look at sort of future engagements, i think that there probably are a couple of countries that we have to be sensitive to, and that we are reviewing. but we haven't gotten much beyond that stage. so i'm sorry not to be better informed to answer your question. >> way in the back row there. >> thanks, claudius. will davis with undp. mr. ambassador, you mentioned it's a crowded field speed is i always worry when somebody says that. [laughter] >> how does he is a plug-in or not plug into the other actors that are out there, either bilateral or multilateral?
9:32 am
>> i'm hoping that -- thanks for that softball. [laughter] [inaudible] >> i'm hoping that we will be completely opportunistic in terms of our partners are. we have actually two people from our partnership office here today, and raphael carland and andrew hyde over here. and their job is to make sure that we do not like and time again, but we just look to see who's got the best down on the ground, who's got the best ideas. and for example, on the way over we were talking about calling some of our european colleagues because the canadians had called us a couple months ago saying, we want to do something on the syrian problem but we don't really know where to start. we said, well, how about two of the platforms that we've helped
9:33 am
to create in turkey. one, and office of foreign assistance basically for the opposition, and another was kind of a media hub. and the canadians have jumped in for a couple million bucks, which is terrific. i mean, why not? we had already jumped in with the uk on the media idea. but we want -- we are putting people into human missions as well if that's the best platform in the place, and that's where we can make the most difference. i see fred here, and, you know, fred and i work for a couple of years on trying to get a better position, a better participation between undp, the u.s. government and anybody else who would join in, the world bank or whatever. and we had a little experiment going in mozambique which seemed promising, because we all realize, we all have to put the same kind of people on, do we
9:34 am
all have to read all the good housing? to have to hire all the teachers to drive our cars? can would ask a concentrate our effort and really be more effective? and i believe that we have to do that in fiscally constrained times as well. and furthermore, it's better practice. i mean, it's not just about money. it's actually just a better idea because nobody is that's more. it's hard to get a really good leader. it one of us had a good lead in any of these places, get behind that person. because getting three good lead in one place is almost unheard. so there are real limitations you and i think if a more honest with ourselves, we will be more effective and our partnerships will be richer. >> a question in front here. >> ambassador kennedy. what about -- >> it's for others. i can hear you. [laughter] >> tanzania and malabo, the very
9:35 am
small state which at one point was doing very well, and now it's almost nowhere, so it's just another part of east africa. >> haven't done any work there. we are doing some early analysis, for example, of zimbabwe. assuming that is going to be change in sometime we have an 80 something year old leader. and so we've really tried to go in there and say okay, what should we do if there is a change in government or the there is an opening? but we haven't any work in that space, and so i really -- sorry. >> how about halfway down there? >> dan smith, american university. i was struck in your initial points that you said more expertise is needed on conflict. under scrs, there was a lot of emphasis put on training.
9:36 am
everybody had to go to training, but my sense was that others in the state department were not taking advantage of this and i'm wondering whether the training bug on conflict resolution has seeped down at all into the culture of the state department. >> i'm sure that there's further progress possible -- [laughter] >> sort of picking up the tony. i would say we are very, we were helped by maria otero, who is our under secretary for the last few years. she saw a need for kind of a broader j. family, which is kind of the whole citizens a duty, civilian security side of the state department now, put together a number of bureaus including our own, and that the course be broader than just got to be kind of a survey course. we really does a lot of work in taking some of -- what we do our
9:37 am
best elements and putting it into the core. so fsi is now offering that. and that's -- i think there's still plenty of work to do. one way we are trying to do it is to try to set aside maybe two weeks a year for each, every person who works for us, for professional growth and professional development, so that we logically think about it that way, and then we customize the training of those people. but i'm also a big fan of having people, leaders in the field, dane, that actually are pretty season and we do more mentoring, because these places are just really difficult. i read an e-mail in the last couple days about how stressed out one of our teams is in one of these places. and you know, it was pretty troubling really.
9:38 am
because we're pushing them to do a lot, and furthermore, it's dangerous where they are. that would naturally put you on edge. so we've got to think about, you have to have a special types of people to do this work. it's a way to demanding. to our a lot of people who don't want to face physical, the prospect even of physical danger on a regular basis. understandable. so i think we've got to start by having some better leaders ourselves and identifying other good leaders and the state department and using them more aggressively. and we're just getting to that. i did are still quite a lot to do in that space. >> spent mr. ambassador, is a trend for myself, i feel i have the prerogative to ask you the hard question.
9:39 am
this is bobby charles. i spent a little time at stake. >> the gprma law, omb i knows is not here at this event, so we can ask this question, it is very harsh. what are your metrics for success in this bureau, given its newness, against the duplication in some of the other bureaus, including my old bureau? >> that's a good question. first off i don't think there's a ton of duplication. i'm finding much more of a vacuum the duplication as a problem, and in particular in the early days of getting going. but we're trying to feature real-time evaluation t but i dot want to hear from inspector general or the special inspector general two years later of the various things that we could have done better. we are already doing evaluation in some of our programs that they've only been after three months. i want it to be highly honest i
9:40 am
don't want people to go back and tell me we are the best thing the u.s. government has ever done. i want to know how we can do everything better. but one measure of, then measures how we play well with others. for example, your old bureau, we work with a lot at and in honduras right now, we're very twinjet within. we're talking about, we just got kind of a special appropriation last night, the first notice of it for additional work in syria, and were going to do some of the role of all training with your old, with inl. but that doesn't mean that it's going to be good. that doesn't mean that it works. for example, we were working with the police reform commission to i think the best evaluation you can ever have is whether this will, these things didn't work in these things did work. i find when i go to fill if i do everything i did was brilliant, they cannot almost immediately. and if i say, look, these are
9:41 am
some things that i wish we'd done better and this is the way we can't see to do them better, that has quite a lot of resonance, and also in getting resources directed to you. it also makes you more credible with the fp or because you're not just, we're not constantly championing ourselves. crisis funds that fat intimacies were to use. it's hard to make the argument that it's a crisis it is set in an embassy for two years. nobody in u.s. government thinks you can go out and grab back the money. we went out and grab the money. we did in a very highly predictable way. so everything could see it going. it wasn't as bright and we do $30 billion out of the. that $30 million hasn't come back to us to some of that money has gone to a.i.d. some of that money has gone to inl. so if you're an honest broker as well, that's another way that you can show that you're more credible. in terms of measures, if the election and can use mostly
9:42 am
safe, we still won't be able to take credit for it because it's kind of a big thing. but i think we will be able to say these are the elements that we contributed to the. if it's mostly violent we can say, yeah, wasn't less violent where we were? i'd rather be measured on what we are actually trying to do rather than all of our inputs were fine and my people behaved well. what's the point? i mean, the bigger point is the reason we are there. that's what i would like to be measured. >> thank you. we have time for one more question. before we take a, i just want to remind you all that this meeting is on the record. [laughter] >> that's too bad. it's too late now. [laughter] >> yes, it's too late now. >> make it a multiple choice, if you would, or true false would be even better. >> i nancy burke, george washington university. i'll try to make it true false. is it true that you have a lessons learned process to share
9:43 am
with yourselves and the rest of the government. >> we do, and, but it's also a work in progress. i don't want to overstate it. for example, we had a lot of people work in afghanistan, and, of course, the last two years, not so much the last year for the last few years. it turned out 115 people from our predecessor office and our office had worked in afghanistan. and so the obvious question was, well, what did you all learn? and they've come up with a really accident paper now, which they have now taken over to the afghan-pakistan office as well and shared it with 30 people there. and so the learning process, this gets back to sort of dane's question, how do you make the learning process broader than just yourself, because ultimately you can't just play by yourself in this work. and so that's the way we are trying to do things.
9:44 am
we do have -- were asking people, if we do a tabletop on mali on friday, how do we package what we learned on friday so it gets through the state department and a.i.d. and the intelligence community and anybody else in the white house can anybody else who thinks, the defense department, who thinks that they're part of this exercise? because even if the six experts they can do a roundtable aren't right, they have surely said something that is of interest. and let's make sure that it doesn't end up being the exclusive province of just a few people. i think there's a little bit of a cultural uphold except yourself, and our culture is explode the knowledge if we can, because we all have to get smarter a lot faster than we been doing it, evidenced by our success ratio in these very tough places. so thank y'all very much.
9:45 am
>> thank you. thank you, ambassador barton. [applause] >> good luck. may you outdo the adventures -- the avengers. >> here on c-span2 we will go to take you live in just a bit to the armed forces communications and electronics association. ..
9:46 am
good morning. i would like to thank brian for this opportunity. we are in i.t. media company, a source for the federal state government community and platform for education and collaboration. it's my honor at this time to introduce to you major general brett williams. major general brett williams is the director of operations j-3 for the united states cyber command in fort lead maryland responsible for operations and specified department of defense information networks as well as spectrum, military, cyberspace operations and support of u.s. national security objectives. general williams was commissioned in 1981 and is a distinguished graduate of rotc programming deutsch university. he's a graduate of nato, joint jet pilot training at the usaf
9:47 am
fire weapons instructive course. he has commanded a fire squadron combat operations group into combat wings. the general staff assignments include plans at the u.s. central command, chief of the checkmate division air combat command inspector general and u.s. pacific command director of communications systems. prior to his current assignment, he was director of operations headquarters at u.s. air force. general williams is a command pilot with more than 3600 hours in the f-15 sea and more than 100 combat missions in operations desert shield, desert storm, southern watch, northern watch and iraqi freedom. please join me in welcoming major general brett williams to the stage. [applause]
9:48 am
>> good morning. you can hear from my biography that you could not have had a better training path than i had to be cyber guide. you have to wonder after 28 years of training as a fighter pilot you end up being in the cyber business. this is what happened. i'm sitting at the air base in okinawa japan if anybody is been there it's a great swing come a great command. you've got fighters and tankers and helicopters and rivet joints and all sorts of great missions. you're sitting their minding your own business one day and the phone rings and you pick it up and it's the pacific air force commander. he says i've got the next job for you. you're going to be the next j-6. >> unlike what? there's something wrong with the phone or they hacked us again because there's no way that i'm about to be the next j-6 at
9:49 am
paycom. i'm talking to the paycom commander of the time who was at oral tim keating getting the initial briefing where do you live, what you think of the area laughter code you have any more guidance on that? operations fiber. so off on my way to do that. the first way i approach that is i got the communicators and the j-6 to get very and i said we are going to treat this like any other operational mission. i said the way we are going to measure success -- because you should always have a way to measure success before you start something -- within the next six months, if the j-3 or j-5 guys haven't planned anything together they are we to look around the room and if there is no j-6 person, they are not going to start the meeting and it isn't because it doesn't
9:50 am
work. we are going to make sure that people understand how you take com and cyber and make sure people understand how this fits into everything else that a combatant commander has to do in order to satisfy the mission that has been given to him so that is what we worked on. the other thing that became immediately apparent to me as i started to get into this was first of all, in the same way you go out and fly an airplane, you don't just adjust your goggles and throw a scarf over your shoulder and go fly. you have to know more. degette further and of course it is the opposite. there's a hydraulic pump that does stuff. you've got an electrical generator in the dust stuff like that and you have to know what happens if those go wrong. since you have to have a certain level of technical understanding of the weapon system. and so, i had to do some work to
9:51 am
get to understand some of the technical details of com and cyberattack and intel and the things that tie into that. but the more i got into the tactical details, the more that i became completely obvious to me that when we approach operations in cyberspace on the level of a combatant commander, we need to approach at the operational level of war where you plan operations and you bring campaigns together that we can approach it exactly like we do operations in the domain. if you with heard me talk before or any of the things i've tried to articulate, i would say that is the number one thing within my area within the cybercom and the mission within the department of defense is that we need to treat activities in
9:52 am
cyber exactly like we treat operations in the air time domain. so from the execution standpoint that the operational level, we should apply joint operational planning procedures, the military decision making process, all those things with an objective desired, center of gravity come all those things folks that have worked in the military system understand, and all of that applies. we should start with the doctrine that exists out there. what we've done is a good job of convincing people how different and mysterious and technically different cyber is, which it is, but i would argue operation to cyber are unique but they are no more unique and flying an airplane is unique from operating a ship. so that's the approach taken to cyber. what i would like to do today -- because i completely understand, even though i couldn't spell until i got to j-6 and they said you are going to speak next week. so i've been to several afcea events and i know the objective of afcea is to bring together industry partners and
9:53 am
particularly in our case the department of defense so we can understand what is the mission and what are the requirements and how we get the requirements satisfied in a way that allows us to do what we have to do. and that becomes obvious the increasingly important as we look at where we are with budgets and how we are thinking about allocating resources within the federal government. we're going to spend the next few minutes talking to you about it what we've done the last six months or so and defining cyber command as a sub unified command. as we continue to grow and evolve the command it's important to be fine with the mission is, what the units of employment it takes, how we command control and what does that operational environment look like. then i will finish with a lot of you are interested is what are the things we need to do to enable that mission? because they are all, for the most part, very technology oriented, and there are some differences -- some significant differences in terms of the technology we need to be able to operate in this environment to
9:54 am
do command and control and that sort of thing. let me talk quickly how we tried to define the cybercom mission more clearly the last several months. the first thing i would tell you is we have three basic missions. we have one mission where come as a member of the department of defense, we have a role in defending their homeland. so our role is obviously focused on those aspects of defending the homeland that have to do with cyberattack and other types of things the what happened in cyberspace that would affect our national security. so, in that role, like the rest of the department of defense, we function as a supporting command, if you welcome to the national command authority and the department of homeland security and along those lines in order to defend the homeland and defend the nation and contribute to the defense against malicious cyberattack spirited the second responsibility is to secure capri and defend what we have defined as the department of defense information networks. you may have previously known that as the gig, the global
9:55 am
information grid but we've published and updated the document is the dodin. and then the third missionary is to support the combatant commanders. so those are both regional combatant commanders, people like the pacific commander or central commander, pay, and centcom and functional commander people like transportation command for strategic command. so those are three missionaries. so the challenge we have is in the same way fi heard elbe or invented the internet many years ago it was never designed for military command and control, yet fundamentally we use the internet to do military command and control which is what creates a lot of our problems it wasn't designed to be a robust yet we have adapted it to do that and in the same way to all our services, the army, navy,
9:56 am
marines, they developed the force structure, they developed cyber primarily out of the com and intel fields to do service missions, to do here force, navy, marine and army missions. that is not the same as air, land and maritime type of missions. so, defining the missions that defend the nation, secure come offer date and defend the dodin and combatant commander support, we need to align forces, if you will come to each of those missions. so what we needed to do is take things that, you know of because right now all of our stuff is the whatever network warfare squadron, task force one 076 and it's the whatever military intel brigade. if you look at those, you have no idea what they do for you in cyber. yet anybody in this room fis would as an infantry battalion to come up with a strike squadron do, you can define
9:57 am
that. one of the things we've had to do is define our mission and then a line capability and capacity to that mission. and so you've may be seen some things in the open press recently that talked about how we are defining what that force structure looks like and how much of it we need to be able to do our mission. and so, what we are working through right now is taking what forces have been dedicated to the cyber mission, and fundamentally defining what is a unit of action are units of employment to do our mission and then realigning our forces. because as an operational commander, in the same way that you define i need ten squadron and three brigade combat teams, you need to be able to see what kind of cyber units do i need, and how many of them do i need. if you can't do that, then you can't really do your planning, and you can't really understand where am i taking risk. equally as important as you go over to the reinforcing side, and if you can't in a way that
9:58 am
people don't know anything about cyber convey what is the capacity and capability i need to execute my mission in cyber, then you will not get through any of the resource drills. so we have defined what we think the requirement is to execute the missions i just described. now you go into the resource and process. everybody knows there's more mission requirements than there is stuff to do it so the same thing is going to happen in cyber. we've define the requirement for the number of cyber units there will be a decision made in the same way we make the decision to reinforce a percentage of that and then the gap is risk and we have to decide where we take the risk. so, again, like i talked about operationally from the resource perspective, we need a way to put cyber into the same nomenclature so that people can understand what it is we are saying and so we can get through the same decision making process and how we use it. once we define our mission space now we have units that do the
9:59 am
mission, then we have to talk about what are the lines of operation? how do we do this? you can think of it in three lines of operation. we do dodin operations, network operations, so the provision, operate, maintain the networks commit to a static defense, things like firewalls and anti-virus and things those that may be familiar with the host based system. so those are the things that define what you're networks look like. they set up the moat and the walls around it and all that sort of thing. okay? no matter how good we get at that, that isn't going to be sufficient because if we hard in the network such that nobody gets in, then we can't get out and we lose our flexibility and adaptability and the ability to do what's the most important thing we need to do in cyber i would argue which is command and control forces. so, we have to assume stuff is going to get in. so the second mission we have is defensive cyber operations, dco.
10:00 am
there are two aspects of that. we have a requirement for people to maneuver in our friend the networks. they have to maneuver and they've got to go around and look for stuff that got through the castle walls. they've got to find stuff that wasn't caught by the anti-virus or firewall or whatever that was. we have to actively look for that stuff and when we find it, kill it. we've got to understand what that is. so the key devotee to hunt on our own network is a part of the dco defensive cyber operations. other things we have to be able to do, just like we treated the national training center or at red flag, we have to have somebody that stimulates the opposition force. so we have to have 18 capability. people that can emulate the threat so we can train against them and understand whether we are ready to execute the mission. other things we have to have is people that can go out and says the network, look at the full
10:01 am
portability and devotees the network odors or preferably the commanders where does it make sense on the operational mission and those sort of things. so that's part of the dco. the other part of the dco, i think it was 12:15 we learned catching heroes isn't that much fun. it's preferable to kill the archer. so when we think about another aspect of the mission, we need to have the capability to go outside of our own networks and a block the heroes. we need to be able to go out and prior to that, we need the opportunity to go out and stop it before it gets here. the analogy i sit on this side. we can wait for the major to come down and shoot him down. would be better to shoot them down so that all of the parts and pieces fall over there but maybe better than that would be good to blow up on the runway before it even takes off or better than that, we would enter the command and control so they
10:02 am
never told the airplanes to take off. the bottom line is having the capability to operate outside of our own networks across the spectrum subject to all of the rules of engagement, all of the policy, all of those things we have to take into account, we want to have that spectrum of options for the commander so that is the dco part of it. then finally, we have the oco offensive cyber operations to deliver the effects outside of our own networks to satisfy the national security requirements. so those are the three missions basis. so we've got the three missions, operate and defend the dodin, defend the nation, combatant commander support and we do that on three operations, dodin, site operations and the challenge we've had i would say is as we go forward, people that operate in this space know that you can't -- you can't do those in
10:03 am
isolation. you can't clearly define what this defense and offense. if we did all of that defense that stuff, that operates the network and defend the net work perfectly, we may get to 70% of the fact we need. we have to have all of that capability. likewise, if there was no policy, no rules, if we operated like a hacker in his basement and we didn't care about any of that and we were willing to go into all this base outside of the networks and do everything we possibly could, we couldn't stop everything that comes at us. so being able to coordinate come into great, synchronize and the conflict operations across us, defense and offense is how we get satisfying with our combatant commanders need and what the commission to the commission requirements are. i would argue to this point in the deep conviction has been the point of the realm. we cannot operate like that anymore. we've got to be doubled to coordinate come integrity and synchronize operations which
10:04 am
takes me to then the next portion which is what is the operational environment look like and how do you do that? and so a couple things i would throw out up front is my assertion is there's no such thing as cyber conflict. there's only conflict and cyber provides another medium to exercise the elements of national power, and one of those elements is the military element but there is a full range of national power, and cyber fits a piece of that. and i think there's a tendency sometimes to think too much about every -- it's got to the cyber come cyber, cyber. there is a whole range of ways to deal with this and the better we are thinking about conflict and competition as cyber but one element of that, and i think certainly when i look at military planning that is the best way to think about it. the other thing that makes the environment very challenging is
10:05 am
that we create very easily tactical operational and strategic effect which is no different than any other domain. the junior military member some place in afghanistan does say a single isolated incident, and we have all seen where those have immediate strategic effect spigot is a tactical, operational, interwoven insider. what further compliments that for cyber is the nature of this base such that not only is it tactical, operational and strategic factors, but you can't isolate it from commercial, civilian, federal government, department of defense partners and other nations, activists everybody has access to this base. it's technically easy to get access, it's not resource intensive, so we have to consider a wide variety above
10:06 am
and beyond. if you start thinking about that and then take the basic environment we have to operate if a commander can look at the two dimensional map and see the borders and units and that sort of thing and in cyber there's models of their but in the simplest case there's a physical and geographic layer and the logical that that creates the way you interact as a cyber persona and finally there's the human so you're looking at it very multi dimensional space you have to operate in which there's strategic operational tactical effect that affect the civilian community, the commercial community, the federal government, all of that, and so when we talk about where does cybercom mission that i described fit in there you can always get that in isolation and so when we look at the requirement to command and control the forces from the cybercom perspective along those
10:07 am
missions it requires a completely very specific differences that are going to have to be driven by different technologies for us to be able to operate in this space the way we need to. i will finish by talking about what i see the requirement being for there. before i talk about the requirement i will talk about the to process these that we have to address. i have a chart that i use in some briefs someone like an odd etds dak but if you look at the environment and mostly provided through cyberspace, at the bottom of that you would look at where the data comes in so it censors and all of that has to move over the transport labor, all that kind of stuff, then it gets organized into networks. for us it gets all over the
10:08 am
networks and be protected with a background command than it is displayed in an information later or we should do more knowledge management and we do but let's say we get to the knowledge management and sola about getting the data, moving the data, using data, putting it in front of the commander said the commander can make a decision and do it faster than the adversary. the challenge is as our industry partners understand, and as our communicators understand, it is the cheapest way to buy that is in those layers. single data center, single fiber trunk, desktop station, all of that. that's the cheapest way to do it. the commission runs vertically if i have a ballistic missile defense system, and interested in top to bottom. top to bottom, where does it moving, what training, what is the knowledge, all that. so we tend to need that operation vertically which competes for me resource perspective with the most
10:09 am
efficient way to buy it which is presently. so that's one aspect. the second aspect we have to deal with -- and i would argue in my experience we have a long way to go with this. you have somebody with an operational requirement it can be someone like me, it doesn't matter -- >> we will show you all of this a bit later on in the program scheduled and take you back live to the communications and electronics association in their forum today on cybersecurity. up next, a discussion on understanding side were adversaries. this is live coverage on c-span2 >> good morning everyone. thank for joining today. this morning we had a distinguished group of panelists representing the information security officer from across the government. our panelists are representing
10:10 am
dhs, hhs, defense security service and air force as well. briefly we have a handful of questions, so feel free given all of the changes in the economic environment, the challenges that it goes today, our security as a whole as everyone knows is a large priorities we have to be about to present a panel today that stimulates good ideas for future growth, new teamwork ideas and that kind of thing. i also want to say thanks for hosting a new federal chief information security officer alliance that they are reforming. actually this morning we have a meeting at 11:30 so if anyone, chief information security officers in the federal government, the room location if you check with the registration table .2 in the direction of that meeting.
10:11 am
but since we are pressed for time, we are going to go ahead and get started. if you want to come on up. and emory will be moderating discussions. [inaudible conversations]
10:12 am
hello everybody. i'm the deputy chief information security officer for the department of homeland security and also the technical joint authorization board for the authorization program for the department of homeland security and happy here to introduce a number of distinguished speakers to talk about the challenges facing our environment right now. i would like to go through and introduce everybody that we have here today. we have ken brodie, chief information officer first one, we've got jeffrey eisensmith, the chief information security officer for homeland security who just started in december. prior to working with us at homeland security he was the affirmation security officer of the immigration and customs enforcement location. we have alma cole, the chief system security officer at cbp and before that in charge of the leadership role at working the
10:13 am
dhs security operations center for many years we have kevin charest with us as well. he's the newly named coming and when i say mean within hours or days chief information security officer for the health and human services, and we have rich naylor under the defense cybersecurity division. we have people that work in the operations side. i know kevin was doing operations at hhs long before he was at ciso. we have alma and some internal and external facing. we have a couple coming in as well, but we are going to start with just going down the creek and seeing what do you see as the big challenge, just one big challenge that you see facing the environment right now in terms of cybersecurity. i know we are seeing a lot cybersecurity coverage in the news the last weeks. it's definitely gone up in the last few weeks. you are seeing it on a regular
10:14 am
basis. i know i'm seeing an equal number of e-mails coming in from vendors willing to introduce themselves to me as a timely. let's hear from the panel, and we will get to your questions as soon as we kind of gotten an impression where they see the challenge is coming up right away. >> good morning. am i on? i knew there was a problem with the lineup last in the line to talk first. [laughter] there's a lot of issues. we don't have to really really that to this group. i guess if i had to pick one single thing at this particular time, it would probably be the advanced persistent threat. a dutch general said earlier what we don't know, the that danced persistent threat, we no adversaries have burrowed into our networks. we know there resident there. it's kind of like a internals timer ticking on the network. so i think feed apt is my first
10:15 am
and foremost area of concern with about 50 other things beyond that. >> to do a test is this on? can you hear me now? all right. sophie apc is totally number one. number two is the resource crunch for the phasing today, and that's sequestration and whether that's just the fact that the i.t. budgets are getting ground down and as the i.t. budgets grind down we will see the security budget falling as well. i would like to say for me, the flag that i'm championing is ongoing authorization. how do we get out of the box of every three years we have to create a 300 page binder that costs a fortune, and all those resources that i could use in a way that would give a better investment from the cybersecurity standpoint would be very powerful thing.
10:16 am
so, for me this is going to be focused heavily on the idea of ongoing authorization. >> so obviously i have to agree with both of those things without a budget to really address the gaps we see it in the traditional security technologies and what we may be actually able to pull together on what they are doing in the entire networks and keep them out of our networks. obviously that's going to leave you with huge challenges. but really one of the things i want to focus on about the things that we are saying as far as the threat actors ago that's a very alarming is more towards the disruptive tax to the cybercrime is and the other sides of the threat actors of real desire under the radar to
10:17 am
not mess up information and of course this last year if it is anonymous or other types of accuracy is a lot more destructive type of activities that have been going on and that is a trend that we will probably see increase. >> so, i would of course agree with everything once said and i would agree with jeff on the ongoing authorization. we are the seventh chair of the committee and address that same issue. one of the challenges i see in health care and space is innovation versus security. the idea of bringing mobility applications connecting with populations that are at risk being able to do that in a secure manner allowing those to connect to your network being able to do that and the reduced
10:18 am
budgets resources and of arrest is rather challenging environment and really using the opportunity to partner with industry as well to try to leverage that capability across. >> there are so many but the one i would pick on is essentially what i would call the unequal distribution of the knowledge and information that we do have to mitigate risks and spread that adequately in the ecosystem to help protect the ecosystem. you know, write to my point there is a lot of capabilities in the but i will call the service vulnerability on those touch points and the knowledge that can mitigate the risk and getting it to the right person in a timely manner is the challenge i face on a daily basis.
10:19 am
>> we have a number of questions i'm going to ask you to jump in so again feel free to send comments or questions. you know, kind of a follow-up to the last statement that we just had, when you look at the authorized organization how can we better educate them to understand and balance the need of the mission and the need of the security? there are a lot of conversations that i have across the department of homeland security where we have security officials people see you coming down the street and they turn the other way. you know, how do we go and change that story from security being no, no to how we balance the mission and make sure people are making the right decision and make sure that this is an
10:20 am
informed decision for security so we will see if anybody on the panel wants to take that on. >> one of the things the we did at i.c.e. was we looked at the ses ranks, those were the author is officials and we said how we get more skin in the game, how we get them more engaged in the security discussions about getting the system's tight. well, it was easy, we just put the business score into the scs, right? [laughter] is a very simple thing. but that first year, we had a really interesting in-depth conversations about how do i balance mission and security. they came to the table a whole lot sooner.
10:21 am
we were able to have discussions in the design phases for the next up coming capabilities to the it was very simple but very powerful. the trick is to get your program managers to have skin in the game and that is the most i can think of. >> i would add to that, leveraging the expertise to the cybersecurity they don't necessarily have the capability in the programs available to us and what we started to do with pretty good success to recognize we need to make sure they've got the proper training and understand the security issues and security risks and the house security can be a mission in the boehler. oftentimes it's all about research that's critical to the
10:22 am
mission but we need to do it in a way that that research is under review the board and it can't be compromised and it doesn't lead the opposite effect so the security frees up against the mission profile even for the strong mission we find that it starts to make sense but it doesn't work without dialogue and -- >> i was going to jump in but the risks i will pylon essentially with the way general williams articulate this morning i think it is incumbent upon us to articulate their risk that your agency and admission is absorbing by doing certain security aspects or not doing them so it's a little about the intellectual honesty and understanding what that means in terms of those making the traces
10:23 am
>> anybody else? >> i think it's important to have the intelligence driven security and its powerful to be able to come in with the information about what is happening on your networks and what various people are trying to do giving them a theoretical risk matrix to say this is a high priority over here and because they are playing out on this way taking things out of the fury and into more applied sciences and having solid data that picture certainly helps prioritize and get behind what actions need to happen to be able to rectify threats and things like that. >> i want to close by saying with the air force we look at
10:24 am
the risk in two sectors this business process owner risk and enterprise risk sold there for some is divided the risk there are certain security controls that if not compliant bring risk to the enterprise network then there's certain security control but only bring risk to the mission were the business process backing at your data regularly has nothing to do with the enterprise networks and to speak so by dividing the rest it brings the two together, the enterprise network and the mission owner they have to collaborate because the rest division is key so the uprising officials feel more in tune to the mission and they can focus on the risk enterprise networks. so, by clearly delineating who is responsible from the risk
10:25 am
perspective that drives the dialogue that i think is absolutely the key. >> one of the follow-up questions we have in terms of, you know, how are we managing it at [inaudible] we are looking at that particular threat factor. >> i will go ahead and start. the way of doing fittings which was created in that massive binder the information security officer with the line is to the mission to the function to create the binder, and when you looked at how much value was returned to that function i would say not much. today we r into the monitoring,
10:26 am
the continuous diagnostics. the role has to change significantly to the if you look at the early years of defense, you've got the outer perimeters, the einstein, the security operation centers that are on the enterprise level and the lower ones that are down and you go right down on top of that system looking at the audit they are the ones that are going to catch things everyone else mrs. mrs. and it just doesn't smell right and to have to give that to both prosecution to do. this one out. that will be the key to retool the work force away from the mentality to the continuous monitoring and litigation diagnostics.
10:27 am
i paradigm. >> one aspect of a threat and that being in the defining the insider is also the unmeaningful liffey welcome and combining that with the data that indicates getting your adversary to click on them now where is the number one of invent filtration -- infiltration. it's trying to get at the individuals in the corporation that otherwise would have essentially been unwilling. as of the training programs to test programs, exercises that pretends to be middleware -- malware seóul click on that are some excellent examples i've seen and it always befuddles me if you have anything about litigation and the title or lawyers the always quick, and
10:28 am
i'm not sure why they will. >> i would agree with you the transition has to help between the parameter base security model where we built the mode and the walls and put this why iran talk and we are rall protected. it's highly universal, his highly transitive environment. we start to transition towards the model where we are not sure where they might be in our environment and they may be moving into the ferry transit if so recognizing that continuous monitoring and diagnostic and the transformation of the work force is required we can't make
10:29 am
the exception, of a continuous monitoring diagnostic is going to translate into different behaviors. we need to educate some initiatives around that such as the work force development and the framework that is coming out. we need to leverage all of those things. but again if we don't translator that to the senior management leadership and understand why it's important and how it's facilitated the mission, we are going to run into the resources on the dollar capital resource issues >> building off of that and i know, alma, you've been working on the cyber work force efforts to date we have a question from the audience. we dhaka lot about internal threat. that's appropriate given we were given other budget security conference.
10:30 am
that makes the best defense, not necessarily mean speaking but i'm reading the question. given that it's taboo in this country, how will we ever build a culture that facilitates the example of this skill set? >> so, i think that there is and has been a lot of initiatives inside of dhs. a lot of dialogue. i think the middle of the year last year how does the dhs internally build a better culture of real, no jokes aside personal expertise that will be on par with everybody else in the country. and it's been an intense matter of focus. things like this come up all lot. can we go out and hire that guy that has the right skills, bring him in in a competitive way and make sure that he has a career path and advancement opportunity and can really, really make a difference wherever he or she is
10:31 am
out? unfortunately i don't have the answer for that yet. we do have a program that we are developing. it's a multifaceted one. we are working with those of our already out there and established a scholarship service program to make sure that those traditional paths that we have more highly skilled people coming through as far as being able to do the skills. we also have a lot of work right now with our human resource professionals to understand how we can be flexible as we bring people in that media don't have a bachelor's or master's or because of the skills and talent that they have been properly placed them in an organization where they need to be to be able to contribute. so in addition to that, again, we are looking at really injecting a much more technical
10:32 am
expertise whether it got of the cybersecurity for the missions and security officers we expect to see a transformation of those individuals coming from what was once more of a policy in the paper work function to the hands-on target operators on the networks that really understand what is happening and can raise the flag on what needs to be raised. >> anyone else? >> we have a question how as an organization are usn the critical infrastructure to ensure the mission's success? i know you all have this challenge. >> critical infrastructure is one of those things that keeps me up at night. with the air force has we categorize our critical
10:33 am
infrastructure as something in the dod where it was platform information technology whether as a connection to the air force or not, different types of security requests would be applied to the network or a program of monitoring the elevator or platform information technology. so, they're forced daa and cio have certain platform authorizing officials cony and one of them being the industrial control system that is the senior physical engineer for the civil engineering infrastructure that individual has the ability for managing all infrastructure systems in the air force. that is the future responsibility but from the air force perspective no way to the
10:34 am
have the expertise to build into the systems and manage risk to critical and for stricter systems so they have parlayed that over to a three-star level executive management industrial control systems that same industrial system authorizes the official has developed an assessment process for all different types of industrial control systems and platforms. so it's not like the air force isn't doing anything about the industrial control systems or the infrastructure. it's more that they gave the responsibility for that to the person that knows most about those missions, the senior engineering and air force so that is pretty much what we are doing. >> i know we have a couple more people who can talk to this one. >> anything on the critical infrastructure? okay, one of the -- >> let me jump in.
10:35 am
on the critical infrastructure, again, the dhs has a huge role we have an executive order that had very much to do with strengthening critical one formation, working on the standards they are going to go help protect that. so there are a lot of things that are in there that isn't necessarily my side of the fence about one thing that we have done actually when it comes to our preparedness plan is looking at having very dynamic types of technologies that are out in the field that can rapidly move from one network communications method to another. so, we have a wireless device that could either be hard wired or come in over the cdp, but if those fail something else happens that we can dynamically jump over to the public airwaves and have the communications channel that automatically establishes coming right back into the enterprise, right back
10:36 am
in to get access to the critical tools that we have come to so being able to have that layer of being neutral so that we can use, you know, two or three or sometimes four different methods to be able to provide the connectivity back to the critical systems for the folks in the field. that is one way we are helping mitigated that in addition to attempting to build and diversify the rest of the system and work with our various providers to ensure their resilience to the different types of scenarios. >> kevin? >> yeah, just to add to that, we took the opportunity in last year in 2012 in the cipher program, they really give us an opportunity to identify critical infrastructure that we haven't perhaps identified in the correct way if the program hadn't really thought about before in an enterprise level hadn't been accounted for properly. so, that exercise has actually allowed us to kind of rethink the whole way that we characterize or categorize the
10:37 am
critical infrastructure. we have a number while we also have hospitals and resources and other things we have in some cases not recognize all of the critical infrastructure that should be on that list and there is still confusion oftentimes on the disaster recovery, contingency planning and critical infrastructure and where they all fit together that can be a confusing mosaic that we are working our way through but that has to include partnerships and programs that often times don't think about what happens so that is kind of taken out through those scenarios. >> as a follow-up to that, what kind of strategy are you having right now to force some of the challenges?
10:38 am
>> supply chain as the score earliest problem i can think of right now. it goes beyond what you want to call squishy. in times of incredibly tight budgets, to supply chain and the way that nasa does to get a lunar module, we don't have a budget for that so we really have to kind of cherry pick all of those captain obvious ones. i'm not going to go with them because i know they have an association that is nefarious. in the dod world i think you have an advantage that they give you a lot more ability to discriminate based on supply chain concerns that in the
10:39 am
federal space isn't amusing and we are working through that in congress to give us a little more power. but if you think about that, you are looking at a computer that is probably on the order of 400 devices perhaps more. do you know the lineage, even if you do know the lineage of the hardware, do you know the lineage of all the software? do you know what's been intercepted between .80 and be? if you go out and buy a one year prescription for the computers i think they know they want to get something into a computer or desktop it is a pretty easy target. so, there is no easy answer to
10:40 am
supply chain. if you have the funding you can do a better job. still wouldn't be perfect but in this environment where we do not have unlimited funding, we just have to cherry pact, like i said the captain obvious moments and decide which decisions you can go with a more inexpensive solution, what will make you safe. >> so there is a lot of opportunity as well to work back with the various vendors and there's a lot of different supply chain threats. one of the most prevalent that have been seen and with those types it is pretty straightforward to be able to make sure the products you have are the ones you thought they should have and that's a process
10:41 am
that we've done in the past that we've got to be successful to ensure that we are as trusted as we can get in some of those areas. >> for what it's worth and haulier level the cost schedule and performance, until we expand that ll but and essentially make secure delivery that gets delivered uncompromised but the fourth leg of the school and we are going to continually be faced with this problem because it's the same issue and you have to execute based on the timeline you have to get down to a single vendor who makes that landing gear and choose whether you want
10:42 am
apart. but until we look at how we approach the acquisition and integrate the delivering the product and compromised and push that to the vendors we are going to continue to have the same problem. >> we have another question following up on this and specific technology. one of the questions we got from the audience today is as you are seeing the employment and the clout technology and areas of the sectors specific and the government only, we are seeing national, international, how do you ensure protection of data in the cloud environment?
10:43 am
>> i guess when you talk about the cloud you have to determine a few essentials and in a private club, hybrid or public. not so worried about private cloud in many aspects. in my mind i'm considering someone in the public to throw something at me, but it's just good engineering. it's really almost tied to your supply chain issue. the part that really concerns me is the small and medium-sized company. you know, essentially this is the beginning of my personal opinion the beginning of outsourcing, even more greater outsourcing. it's almost like the power grid issue. but those companies, it's just going to be cheaper for them to buy that as a service. so now they are dealing with your product soon the services and difficult thing for you it is on a wedding. it's on wedding on their part to
10:44 am
push it out in the public domain. and having to attract and protect it. that's going to be bugaboo. it may or may not is less concerning to me personally. >> so as an engineer, one of the biggest problems i have come up to the ranks was get the okay to begin a project, get your budget, get the contract. the contractor goes out and does a plan, has to do the bill, start putting things together, and you down rage, what, i year-and-a-half? in today's environment that offsets, i'm sorry -- baiji yes can't survive that old model. there is no way.
10:45 am
it just can't happen that way. so, it's the ability of the federal government, and its dod, dhs, gsa to pre-certified and assess the providers so when you are ready to start a job, you don't have to spend that six months trying to make sure they have the work they need. so you are trying to market your ability to satisfy your customer with a secure solution to get a product on the ground quickly is one of the key tenants. the others are spend the money and it's used by many so in time
10:46 am
it makes more sense to this. you can get these providers a different of levels. you always have to encounter their resistance, the same resistance you have when we went to the virtual come if i can't have that computer and server, it just feels like it's not mine. as we all know, virtualization works. it's the same thing with clout to get people saying you know what, how do i know that provider, that certified provider is going to be able to do what i need him to do at a security level that i need? if they are following the same 853 controls that we are, is being a federal government cloud
10:47 am
anymore guaranteed? you might say to you have seen in the game? all right. the answer is if you are a government executive in charge of that cloud coming and you still pii for 5,000 users, it's not a good day for you. so, in reality, when you use these providers you should do a service level agreement that shows they have skin in the game so, for instance, it would be your going to buy insurance for everybody to do pii skills for. if the cloud provider isn't willing to do that, well then that is a question, and if they do, then they have scan in the game now -- scan date come skin
10:48 am
in the game. >> this is a security n/a any boehler. >> not all cloud providers are created equal but many times it can actually enhance your visibility on your data and systems and accessing systems. and also, to be much more of a hard target because some of these guys have an immense amount of specialization in those platforms. so, going into the cloud sometimes can offer enhanced security when you have the in house and it can help you greater understand what is happening. >> i agree actually. on the reality of a strategy it's not created equal and one of the things we're looking at
10:49 am
in the strategy and the connection program and all that is to say how many can be supportive on the maximum number of applications. not trying to win the competition but trying to say there needs to be a balance between the cloud and the number of proliferation applications and then still maintain that security status. so, again, the statement about innovation versus security. there still needs to be in balance. i wouldn't want to see the hhs using 100 cloud providers in a year from now or two years from now i think there would be an unsustainable model. >> i would just say that from a air force perspective, it is about the efficiency, gaining efficiencies. you're not going to put your mission critical apps and crown jewels out on the cloud, but it
10:50 am
does allow you some flexibility to leverage that technology for your business process these and that is a good point was made because the actual accreditation of the provider has already been accomplished but the authorizing official within your organization still has to authorize the operation so there is a risk decision to be made. it's just not approved i can use you there's still a methodology that goes into that. i would also tell you that the most significant piece of buchwald computing strategy is you have to have rock level agreement in contracts and again if they are using the same control that we are, they've already said yes they look good from the moderate. we can leverage that and boost our applications to gain
10:51 am
efficiencies and ultimately save dollars. >> another question from the audience what types of technologies to we face today? deer getting smarter and faster every day [inaudible] >> once you speak on the accreditation process the hacking ochers a different levels in the network. some over the application level and some of the network layer. i think what we really need to understand is we need to start thinking about the resiliency. you're not going to stop all this cat and mouse game that we've been playing for years you're not printable to protect everything. you're not going to be able to stop intrusions. what we need to focus on is the most critical the applications and systems making sure that
10:52 am
they are protected, our crown jewels if he will come and start working toward things like contingency. how do we survive and continue our mission is under attack in the network and system resiliency? i think we need to move to that because this game you come up with mal -- malware and we are back-and-forth and so resiliency is the key. >> if you are old enough to remember the movie the graduate, to me the word would be reconstitution. continuous monitoring is our ability to spend our resources at an off tempo kind of on the same lines with what our threat sectors are because if you think
10:53 am
of the threats that are evolving and let me fill out some paper work and i'm going to be in good shape and that is going to last about a month before, so the monitoring will be the place we put their resources on. let me see of the fact they just popped up where did the assets go that were there five minutes ago? is the software one that is to keep from the tax but no matter what we do in that arena, we are going to get had, so things like that cloud and the fertilization -- virtualization you said you cannot be had if you are
10:54 am
operating, the most secure system if you put it in a box and felt with cement and put it in the bottom of the motion does it do anything for you? know. so if you're operating unit you are exposed and make these decisions forces security you are always going to push the edge. the key will be how quickly can you give up on your feet and accomplish that mission again. >> said the signature based technology is certainly not sufficient anymore. when we talk about the attacks, certainly it is something that happens and even other attacks if there's a specific signature from the vendor and depending on the type of technology, if it is slightly different than the last round, it may not be attacked in the crucial technology so it's very important to be a will to have the capability to do
10:55 am
advanced malicious code detection that can classify things from a behaviour basis that are never seen and heard by anyone else. and that is of course all about learning from your attacks, things you have seen attacking you, and then being able to implement the defensive measures against of the various phases or cycles of that attack that might go through the course of doing whatever the bad guys try to do. and then that actually really helps you build those layers to understand what is it today that the biggest thing that we need to address. so in all of your building, you do -- jeff said you need to understand you are not coming to be able to stop everyone, every time comes to build those contingencies on how you reconstitute and how you find them on the guide and then have
10:56 am
a plan to actually raise all that activity after you fully understand what the scope of that activity is. >> we had a couple questions that came in from the audience. as the amount of time are hibernating and such as the reputation what would you require to be applied to the cyber challenge? how can use use the data sensors in the future? >> it really is important and going back to this id on the signatures are not enough you have to understand what is happening in your network, not someone's sick to become a cloud of or malware. one of the most valuable tools
10:57 am
that we actually have in our arsenal regardless of or not we thought it was malicious at the time, and what that does is several things. if we find our intelligence that we should have looked at that happened last week we should go back and look at it but also all of the defense that we might see into context for what that one house was doing at the time that actually triggered that event so it reduces our false positives and gives much more insight about where and why we have some of the issues that we might see and they're really makes all the difference. you combine that with analytical capabilities or security at the manager type of tools that can work even more effective than some of those technologies because again, the defense that you are seeing that you can actually ever stand with that is
10:58 am
doing in the context around that java download or that pdf or whatever it is and that is an incredibly useful source the mentioned reputation based. having a reputation based faltering overlaying that, we can help you in proactive measures to block most bad stuff right off the bat, but it also can help as a risk assessment tool so they can focus on the areas that probably will be more risky than others in the account as they are creating things like rules. it's extremely useful and necessary. >> there is no question the amount of data that is collected from all the sensors and tools. you can log everything. i think we are well over 10 billion a day, but we are all
10:59 am
supposed to sit there and understand within hhs. so the challenge is what you do with this incredible volume of data? you don't necessarily know that you needed there. there's no idea that there is an issue until there is one and then you certainly want to be able to go back. so we plan to focus, as emory mentioned, i spent years building cybersecurity operations and so the focus was really on having the understanding to go along with all this data so you can't possibly pay attention to everything as it comes across. so why should you pay attention or even if it is retroactive for retrospective why would you go back and look? having the ability to fit all of the raw data and build the context will framework when you build what we call the deep dive analysis team coming at this is a rather challenging area dealing with the traffic
11:00 am
behavior. .. >> it's what i think we have to do. the notion that you're not going to have even more data is a false one and we will continue, they will continue to expand as we enhance our security capability him even from the cloud.
11:01 am
>> one of the follow-up questions from the audience, you talked about the retention, you know, the question was how long do you think a good amount of that data -- reflecting more and more everyday, how far back do you think we need to do? how much do you think we should be doing for the time being? >> is there a bad answer to that? as much as we can. >> i agree. >> as much as we can, economics more than anything. >> what can you afford? are not going to say how much we have, but we have as much -- >> i would think that if you don't have at least 90 days, you're probably going to be struggling. >> but it should go out from there. and again, the more you have them i think the goal should be much greater than 90 days, but again it's an economics issue.
11:02 am
>> another question from the audience, kind of summarizes some of the challenges you are seeing. what do you see as some of the top cyberthreat gc coming down the pipe in the next seven years? >> ten years. >> being ambitious. >> those darn flying cars. >> i saw a profile on the cyberattack of the day where essentially it was low and slow. so essentially it's getting around all of the various mechanisms, security mechanisms we have in place. is scanning itself goes over a series of months, coming from five different class a networks from, you know, 16 to 160 different skins. is just the scan profile. been low and slow, once probably
11:03 am
got in, low and slow extraction. this was actually a test system with all the latest intrusion detection's and the like. and under those, think the issue is, you heard it this morning, ma the guys are really good at it and really smart at it, those that go undetected and realizing that they are actually in the network and how do i ferret them out is, is the thing that i think that's going to keep you all up at night. >> anyone else? >> i would just beat on the industry just briefly. the proliferation of electronic health record, the integration of health information, all of those components that are driving -- it makes a great deal of sense. we want to reduce mental mistakes and want to ensure people have a healthy environment in which they can
11:04 am
receive the best possible care. but all of those interconnections now and industry, state government, federal government, entities all across the globe in some cases, create an environment of considerable threat. you also have the challenge of an end-user population that again, speaking health care sector, very often is not at all the idea of using authentication to log on. i don't have time for that. so those are some of the biggest challenges that we have is still recognizing that at the end of the day, whatever server you want to look at, still the primary way to get into our system is to our own people. and through the eagle lack of understanding or lack of
11:05 am
commitment to the environment, to securing their rhyme it, that continues to be something that we want to focus on in partner with our sector partners as well. some of the latest research out there, we are seeing taxes on hospitals and various other elements. but fundamentally they still come in through fishing and lack of writing your passwords down on your sticky notes. that still goes on every single day. and until we address some of those things, it's not going to solve the problem. >> so the silent data, that is certainly a threat today. that sort will continue in the future. sort of like olivia munn we started all this. i do think that disrupted the tax we've seen more them as of late last few years. it seems to be a rising trend.
11:06 am
that's something that are really do think we will probably see more of and hopefully in 10 years we will be a better posture against those types of things. those are certainly initiatives we're working on right there. we desperately need, because some will take advantage of the systemwide weaknesses that may be out there today. >> so i would say from a standpoint of what would be a similar paradigm to what we're seeing today, so when i first start off, that bicycle tires, automobile crash, pretty much day. there were no seatbelts. there was a plate glass for the windshield. it was pretty dangerous, but as the economy realize that automobiles and transportation were really kind of key to how we had to move out, a lot of rigorous control came in because there was a lot of investment,
11:07 am
economy really dependent upon. when you're driving a car today, it is pretty amazing. you literally crash a car at 40 miles an hour and do a nonmobile cement block at the midpoint, and the driver doesn't get hurt. pretty amazing. so i look at the internet today, and there are some natural tensions that are occurring that the national tensions are you can't have time to market, right? the fastest path that gets to the market will grab the lion's share. at some point in time, people are going to demand more rigor. but more rigor is the enemy of time to market. i think we're going to see that sweet spot slowly start to move in the right direction. when? probably when it gets painful enough to do. i love capitalism but that's what drives that equation to
11:08 am
when we think will be worth our while to invest in proper security and how we deal in that transaction. so i will just say stay tuned. >> i will piggyback off of that here could comment. i will tell you that i believe we really do need to take a hard look at these firmware growing abilities, specifically we were talking about weapons platforms, aircraft, command control systems. because if firmware, you can pretty, you can plant a malware, firmware, but pretty stealthy and it takes a sophisticated, very highly technical skilled person to reveal that firmware flaw. and these are the type of things that we are putting in our weapons systems. so i think that, you know, three, four years down the road this problem will actually be even more to where it's going to come to the forefront just as come to so prevalent standard valor is today. so we need to start getting arms
11:09 am
from firmware and supply chain because it's right on this and it is getting worse. >> okay. i believe our action out of time today. i would like to thank our speakers for making this possible. [applause] >> i'd like to add my thanks to this truly remarkable panel. just the fact the we gather all the gentlemen here in one day is great for us all. and the reality of this world, really appreciate your candor, and throughout. with that, we do provide thanks. a little of a traditional black we actually, in honor of all our speakers today, we will be making a donation to our s.t.e.m. education fund. so thank you for being here for the. however, he did get the first an eclectic series of coffee mugs, which begins as you exit the stage. thanks very much for your time today.
11:10 am
[applause] >> folks, we're going to take a quick break year. but before we do i would just like to add my special thanks to our premier sponsors who will be in the exhibit hall for our networking break. [inaudible] >> bowling, mcafee and splunk. [inaudible] so with that, see you back here probably at 11:30.
11:11 am
thank you very much. we will have more from this conference on government cybersecurity at about 1130 time as we are from homeland security official suzanne spaulding, and andy ozment who is the senior director for cybersecurity. they are the luncheon speaker today and that's in about 20 minutes from now we'll have live coverage here on c-span2. until then we will bring the discussion on china's increasing cyber attacks on the u.s. from today's "washington journal." >> host: john reed is a foreign policy national security reporter for "foreign policy" magazine. good morning. thanks for being with us. this headline from the new times are good as we, a 60 page report looking at china's role in cybersecurity. if you review the report with the children?
11:12 am
>> guest: it was more fascinating piece of evidence, something we've all known has been going on for years and years and years if you been paying attention to cybersecurity. we saw proof that, very strong evidence of leaking of the chinese government to actual theft of intellectual property. you hear a story about defense contractors networks being penetrated by hackers who are in china and then a few years later it looked an awful lot like an american stealth fighter. this is the first time you could see it point at a building in china as a this is a building owned by the chinese government and say this is likely where this is coming from and here's what they're doing and here is what they're stealing. it gave that little colonel of evidence that we've all been wanting to see for years. >> host: what is the chinese government and the chinese army looking for? >> guest: it's a variety of things. they are looking for very specific things in very different industries. that going from aviation and
11:13 am
aerospace and defense industries. they were looking for coca-cola's negotiation strategy. so it's a number of different things that has to do with their business interests and their strategic objective as a country. he could be seekers of a military fighter jet or it could be a negotiating strategy of a business working in china or it could be the blueprint for semiconductors that are used in wind turbines. >> host: what do they do with this information? >> guest: many different things. they could use it to build their own wind turbines. they can build up their own. we see an awful lot of that going on. >> host: this is a piece written for bloomberg business week. i want to go inside and just read to you about joe stewart who lives in myrtle beach, south carolina, and he spends his day looking at this malware which is what, by the way? >> guest: at software that is
11:14 am
doing bad things on computers. bad codes that are doing a number of different things. >> host: a big part of joe store today is figure out the malware is built which he does to an astonishing level of detail. he can do the language on the computer which it was coded. >> guest: he is looking for the masters back home who are using that software to go and siphon information offer network and feeding it back to asia or russia or whoever's controlling. >> host: you point out the executive order signed by the president, one of the first pieces of business in the state of the union address. what did he put in place and how will that prevent this from happening in the future? >> guest: what the president is trying to share information between the government and
11:15 am
intelligence agencies that can collect information and the seize malware coming in and they see hackers coming and. what companies they believe are targeted by them. >> hostthem. that's one piece. i want to establish a set that their voluntary standards, what practices to protect their information from backing. what they call basic hygiene which is change your password, things like that. update your software, just the basics host the how often do people getting into who think it's personal, open it up and then create problems? >> guest: that's one thing, how easy it is for chinese hackers to pretty basic simple trick to get somebody to install your malware on their computer. you say hey, joe, i know we were talking about this press release tonight, review this document. it's actually from a fake e-mail address that isn't from your coworker, joe. >> host: are full lines are
11:16 am
open. you can join the conversation by giving us a phone call at (202)585-3881. publicans. (202)585-3880 democrats. you can join the conversation on our twitter page, let me share with you from an event we covered, former cia director general hayden who talked about this issue and the potential threat used as americans. let's watch spent china is not an enemy of the united states. is no good reasons for china to become an enemy of the trinity logical non-drug policy choices available to the chinese and to us to keep the relationship competitive, occasionally may be confrontational, never have to get to the level of conflict. now, that said, i armory told
11:17 am
you about chinese espionage and more broadly chinese behavior is very, very disturbing, and it should not be allowed to stand. finallystand. by the way, the president used the same -- there's an espionage danger and a constructive danger. >> host: we heard the threat from former cia director general michael hayden. what's the solution? >> guest: the administration needs to be focus on diplomatic efforts. confront china but then other people are saying what if china says so what? big deal, we don't want to stop. this is how we're going to gain strategic advantage tha but oths are thinking about sanctions, targeted sanctions against the chinese industries are benefiting from the hacking or using her house, go after people that you know are involved in hacking and say they are not welcome in the united states. >> host: let's go to tom from every pennsylvania, republican
11:18 am
line for john reid. good morning,. >> caller: morning. very fascinating subject. i have multiple points that would like to make with you. not the ones being -- the major reason that this problem right now is because when the internet was originated it was set up so that business interests, and people like this could have backdoor access to everybody else's business. and that they don't know what to do about the problem they created. the next thing is, we have this constant attack by the chinese, and they attack us in every way possible, yet there are people in america making tons of money happily to ship their production facilities and everything else like it and the research facilities over there, and so they have pressure on the government not to get serious with straightening the chinese
11:19 am
out. >> guest: to the first point, the internet wasn't designed, they weren't thinking, when it was first designed decades ago, it would be this potentially big and you would see it, a tool as kind of an almost, not take credit trade were but an espionage where you could steal all of your rivals trade secrets. so now we're trying to look at how do we do that while maintaining the freedoms of the internet has been made so amazing in first place, that is changed the economy, change almost every aspect of our lives around the world. while protecting our trade secrets. >> host: when they go to the chinese government and say look, we know we are doing, you need to stop this, what's their response? >> guest: to date the response is we think it's outrageous and you can't accuse us of this. we don't sanction this at all. this is not something that we endorse at all. >> host: i want to show you,
11:20 am
this gets to the complexity of what we're talking about, new times and the "washington post" publishing this view that explained, this is just a portion of a longer video of how this is done. >> logging into one of his operation e-mail accounts. he has used this account for spear phishing and generate additional e-mail accounts. the inbox shows confirmation enough for additional accounts that he created as well as spouses and nondelivery receipts for messages. most of which seem to be focus on military exercises in the philippines. notice the gmail generates a suspicious login morning. informing him the ip address, which is part of one of the home ranges, which used to log into the account. >> host: the video is available on line. it does get complicated, and you have some sophisticated skills to do this, correct? >> guest: yeah, she do, and that was another interesting thing in the report.
11:21 am
this organization, people who are very sophisticated in both computer, in hacking basically come in computer networking, but they also needed an intelligence professional and also need to go to speak english and they needed an entire organization to support this very sophisticated operation. >> host: you use this term spear phishing. >> guest: it's what i described earlier. so i say you get an e-mail from john read, and it's from, it's not from a gmail or yahoo! or in my work e-mail. john reed at rocket mail let's say. but it says i want to discuss the show tomorrow and here are a few talking points. attached a word document. you see this come it doesn't quite come in a not quite sound like me but we are seeing the hackers getting better and better at sounding like they are from the west. but you think this is real and you clicked on it and you've opened up a word document and index your computer.
11:22 am
you didn't think this is an e-mail, this was a piece of spam or any now from somebody you knew and had to do with your business. >> host: we will go to roger, independent line. good morning. >> caller: good morning. >> host: go ahead, roger. you were on the air. >> caller: do you think that it's possible that chinese will use the american debt that we have with them as leverage and all sanctioned you might try to hold against them? >> guest: i don't think either side going to go to that point to other people have said what happens if this escalate so military complex? i don't thin think you want to t into and out right trade war. i don't think that's the next step in this. >> host: what worries you the most as you follow this story and see potential applications? >> guest: what worries me the most is, nobody wants to escalate, we just talk about.
11:23 am
we don't want to escalate this into an outright war, but how do you stop the? you saw this happen between universities in britain a couple centuries ago during the industrial revolution were we americans going over to england, memorizing the plans for textile mills and coming back to the united states and building them. how do you stop at? can you do say, china, stop. what do you do? will sanctions work or do we need to focus here on protecting rather than sing don't steal it, we need to protect a better come and invest in keeping our secrets secret. >> host: this is a sidebar to our conversation about the cyber threats from china but "the new york times" reported that china's new leaders is making his first overseas trip. it will be the moscow. >> guest: russia is the other main cyber hacker to consider to be the most advanced. some people will say it's relatively easy to see when the chinese are attacking you. they are not the best the are just the most rampant.
11:24 am
but the russians are among the most advanced on earth it and when they do attack you almost can't see and you don't know and you may not ever know that you've been attacked. they are very good. >> host: in your piece for foreign policy you outlined the obama agenda. let's summarize for those of you come this is what the administration is essentially saying. increasing diplomatic efforts for those nations that house these i do see. also increasing collaboration between government combating ip theft. the motion of voluntary best practices by businesses, and by businesses, enhancing domestic law-enforcement operations, improving domestic legislation, and increasing public awareness and stakeholder outreach. you touched on the first point. can you discuss the other's? >> guest: sure. we need to cooperate internationally because we are not the only country that's been targeted by chinese hackers. there was a member different countries all over the world being attacked by them. so if you can get the global community on board the kind of
11:25 am
combat this, this may have some impact. we are working on partnerships in the pacific where, if you steal intellectual property belong to an american company, you can be prosecuted. you still have, the u.s. companies will be able to prosecute you as if you were stealing in the united states. we mentioned the best practices earlier, the voluntary set of, you know, use a different password and default setting. update your software, monitor your with th and then there's also the security legislation that deals with information sharing betweeo the government and the private e sector as well as bestas practices. >> host: our guest is john read with "foreign policy" magazine. graduate of the university of new hampshire and i has written for a number of publications including california answered edgar of defensed
11:26 am
take the daniel is joining us from california, republican line. good morning. >> caller: good morning. my name is daniel, and i'm a special forces officer in the army and i just want to comment on what i'm seeing on the tv i' right now by them chinese. in college for my thesis paper i wrote about a war between united states and china.e i just want to say it's come to that but it's a pretty serious thing. we haven't -- [inaudibl. the government has change our system so the jobs come back. this whole thing with hacking ic this whole hawdo, it's asymmetric warfare, a great way hack somebody. not just economically but econoa militarily. so to defend against something like that you've got to something concrete. .
11:27 am
in this case, guns and nuclear weapon that are not connected to the systems that they can hack. host: we have heard from defense secretary leon panetta that says -- who says that if we do not act on it, we could potentially face what he calls a cyber pearl harbor. is it that series? caller: i think it is that serious. i mean, not just military and government systems. china even attacks citizens who have left china and fled to the u.s.. -- the last paper wrote on this was in 2010. in 2010, china had over 300,000, i repeat, 300,000 state sponsored hackers in the army, just the army. that is more people that we have in this country defending
11:28 am
against cyber attacks. in 2010, they attacked and we can trace back to the chinese government, directly back to the chinese government over 90,000 attacks. host: thanks for adding your voice to the conversation. your response? guest: one of the worries that people do have is that once you are into someone's network, you can go and steal information or you can spy on them. there's nothing to stop you from actually conducting a destructive attack. that is what worries a lot of people. many people are not so much worried about china or even potentially russia during a destructive attack, but just the knowledge that they are in our networks could cause us to hedge our actions when dealing with these countries. there are more worried about nations like iran, who have nothing to lose when conducting a cyber attack, then china or
11:29 am
russia, who do have something to lose. they are trading partners with the u.s. they may not be interested in in destroying our infrastructure just yet, but they are certainly interested in stealing and spine. host: on that -- and spying. host: on the twitter page, one person has come out what training do russian actors get that makes them so good? guest: it is a long tradition of espionage throughout the cold war against the united states. the chinese hackers are catching up. they have made enormous strides in the last 10 years. >> there talking about u.s. response to a potential cyber attacks from china. earl is on the phone from maryland, independent line. >> i think this problem is not
11:30 am
going to be resolved for the simple reason -- i used to tell my children that what you accept is what you teach. americans do the same thing to iran and now want to say the reason why they do it is because of good reasons while others do it for bad reasons. good and bad is relative. because they do it for different reasons other than you, you never look at the principle of what you are doing. a lie is a lie in a matter what good reason you tell a lie for. they learn have to be deceitful like you. guest: the u.s. government is allegedly behind the seven
11:31 am
attack in iran that destroyed several thousand nuclear centrifuges a year -- centrifuges a couple years ago. we spy on other governments. we spy on other countries create but we are not using the nsa to spy on chinese businesses. other countries are going to look at our astronauts. -- at our espionage. >> from twitter -- and this op-ed from the commentary section. a smack down on china's side for thieves.
11:32 am
he also points out that this is not the first time that china has been caught doing this, going back to early in the last decade. an investigation revealed that -- guest: that is what we were talking about. if you have been paying attention dissever security, you have been watching this go on for the last decade or more. companies that were working on the f35 program, and then last fall we saw something produced in china that looked an awful lot like an f35. you cannot directly to be that to the hacking of the program. it just looks like it. host: richard is on the phone
11:33 am
from florida. good morning. caller: i agree with some of your callers. we have been doing -- a number of years ago china forced down a spy plane. you have mentioned cyber attacks against iran. i do not know how much we were involved in having scientists killed. we seem to run drones into other people's countries without any problem in people. how would we feel if somebody threw a drone in our country and assassinated somebody. guest: that is the argument. i just sat down with a famous
11:34 am
russian cyber security expert. he is talking about how easy it would be to reverse engineer a virus. it is what people claimed the united states used against iran. they could use against us on our power facilities. people point to the attack that destroyed 36,000 computers and said it was around hang us back. -- it was iran paying us back. >> i have a question. i am in the industry. in our service we use ip blocking based on the location of the ip. we did block all chinese eyepiece. i would like to know why that is not being done when it comes to security. corporations have the ability. i am curious what they do not do that.
11:35 am
host: explain that ability. the ability to do or prevent what? caller: if you see an ip address, there is a company that will observe all ips coming into your network. you can see it is a chinese ip. you can say "block all ips from this range." > host: do you think washington is doing enough on this front? caller: we need to find the answer to stop that level of espionage. host: what questions would you
11:36 am
be asking? caller: what technology are using? are we observing or are we just hoping that a system is automated will do the job for us? guest: there are two elements of that. american businesses to not want to stop doing business in china. i was talking to an official the other day who says we cannot just ignore china. we have to figure out a safe way to do business with the chinese and their government while protecting our intellectual property. that comes back to the information we are hearing between u.s. government intelligence agencies and the private sector. when the nsa sees all of this malware comign in from certain ip addresses, what they would like to do is share this information so we can learn what that information is coming from these addresses and block them. that is part of the approach the
11:37 am
government wants to take in dealing with this. along those lines, there is this tweet -- guest: a lot of what it is is identifying your valuable information and keep it offline. monetary or networks. assume you are going to be breached. a fire wall is not going to do it. you have to assume that people are already inside your networks. you have to monitor for strange behavior inside your networks. the information being siphoned off at two o'clock in the morning, a lot of it is monitoring tools. host: we spent a lot of time focusing on the nation's debt and china is buying up a lot of the debt. guest: u.s. officials will say this is very tough
11:38 am
diplomatically because it is a tricky. host: what is the number one challenge on this issue? what does john kerry need to guest: do how does he confront the chinese? the number of chinese is going to increase -- there is all sorts of jargon saying we aren't discussed this at the highest level and say that this is not an acceptable. some people are calling for the state department to look at ways we can actually impose certain sanctions or ban -- the line they are calling on the government to do that kind of thing. host: our next caller is from michigan. cynthia is on the phone on the republican line. welcome to the conversation. caller: thank you for taking my call. scripture says "can two walk together except they be agreed."
11:39 am
we have been very weak when it comes to our enemies. i pray that we would have a much stronger stand against our enemies, including china. what do you have to say about these things? guest: what people are worrying about is will we be able to stop this in a traditional diplomatic sense? or will it take something heavier? let's take sanctions? will it be something that we are just going to have to deal with and just figure out how to protect our secrets on this front because they will not stop? host: mike from pennsylvania, independent line, good morning. caller: my question is, i have been wondering about the long- term reliability of all of this stuff.
11:40 am
not long ago south carolina was packed, the fed was hacked, i just keep thinking it is going to end up being a long-term expensive fad that seems to be failing. is that a possibility? guest: the state of cyber- security favors the attacker. everybody is being hacked by a number of different actors. it is a rather than problem that favors the attackers. until we come up with new laws in ways of dealing with this domestically and internationally, as well as new technologies, it is going to
11:41 am
favor the attacker. people think is going to shift in favor of the defender. we will have an understanding of how we protect our secrets and our property. host: 8 twitter or facebook account, a much lower level to hack. the question is why? guest: it depends on what they want to do with your account. hackers just wanted his name. in other cases they may want to use your account to send out malware. or they may want to hack your e- mail because you are somebody
11:42 am
the hackers are interested in animal: secrets of your life. there would love to know details about your life that they can use to pay a better picture of you and your decision making process. they could potentially use that to act as more secret information. host: how does any one company or individual feel secure in all of that and determine what is a portent to them -- what is important to them? guest: what is the information your company would have a hard time staying in business if it were lost, take that offline. much for state secrets, say you
11:43 am
cannot bring this document outside of a room, but have computers isolated with this information. host: from michigan, good morning. caller: good morning. first of all i would like to say thank-you to c-span. as far as cyber-attacking, we need to really been looked at -- really look at how we have been doing business with china. host: how likely is that? guest: we have already a couple of members of congress calling for sanctions against china. we will see. it depends on how the diplomatic efforts go. if we see more examples of the -- more companies coming out and saying "we have been hacked," if
11:44 am
we see more of that we may see increased pressure on the executive branch to implement sanctions. we may see it happen. host: our last caller is from independence, missouri. republican line, good morning. caller: i wanted to ask -- we give away as much economic information with products we ship to china. they have torn our car -- torn our cars completely. when they start making cars -- guest: there are partnerships between american businesses and
11:45 am
chinese companies. we have several aerospace companies doing business in china. can you trust that information isn't going to be -- what is to keep the chinese out of your military networks? how did they not get to your network when you're doing business in china? people bring throw away computers and but there is when they do business with china. it is still a concern. host: john reed, >> and you can see that discussion again online anytime at
11:46 am
a live picture now from a forum on government security, cybersecurity that is, that we've been bringing to you. the speakers are in a break right now, and they are about to take lunch and during the luncheon homeland security official suzanne spaulding and andy ozment is the senior director for cybersecurity will address the group it will have live coverage of the remarks when they get underway here on c-span2. while we wait we will go back to remarks earlier in this conference from eric rosenbach, deputy assistant secretary of defense for cyber policy. >> good morning, everyone. i have the honor of introducing eric rosenbach. he was appointed the deputy assistant secretary of defense for cyber policy on september 26, 2011. in this capacity, he supports the secretary of defense and other senior department of defense leaders by formulating, recommending, integrating, and
11:47 am
implementing policies and strategies to improve dod's ability to operate in cyberspace. mr. rosenbach recently led the global cybersecurity is at good harbor consulting where he advised executives of fortune 500 companies on cybersecurity and mitigation strategy. mr. rosenbach previously worked as the executive director of the center for international at the harvard kennedy school. he managed the center's operations taught classes, on cybersecurity, and terrorism policy, and counterterrorism policy and codirected a joint harvard project on international cybersecurity policy. prior to his work at harvard, mr. rosenbach served as national security advisor for senior,
11:48 am
senator chuck hagel, and as a professional staff member on the senate select committee on intelligence. during his time on the ssdi, you provided oversight of intelligence community, counterterrorism programs and led to investigations of prewar intelligence on iraq. mr. rosenbach has co-authored and edited several books on national security issues. he was a fulbright scholar. he holds a jd from georgetown, masters of public policy from the harvard kennedy school, and bachelor of arts from davidson college. please hit me a warm welcome in introducing mr. rosenbach. [applause] >> okay. good morning, y'all. it's really nice to be a. i already see some friendly faces and some faces that make
11:49 am
me trimmer. the friendly faces are former students from the kennedy school like right there. always good. he can ge be in my site. friendly but make me trimmer are -- already smacked me and i'll to start asking questions. when you're in a job like mine, you see strikes fear and hard every day. she knows what she's talking about. that's good. this morning i'm happy to be here. it's a great audience full of lots of very smart people, and rather than give a long speech that would be pretty boring to you all, i'm going to mix it up all of it. and so here's what i would like to do. falling back on my kennedy school style, i'm going to introduce a hypothesis, a little bit of an argument and give you background on why i think that's the case. and then the ready, this or i'm warning you right now, i'm going out to the audience and going through cold call on some of you, most of you, particularly those of you who are asleep and future thoughts on this so we can work on our problems together. so now that you've been warned,
11:50 am
here's the problem i like to talk about today. it's the idea of zero days that are being produced in to attack international control systems in a constructive manner, and not do it is produced by nation states which, of course, are in the business of doing that, but nonstate groups and the growing market for destructive zero days around the world. that's something that keeps me awake at night. when you think about the things that keep you awake at night, that are unknown known problems. you think at least there some way to address it. been there is no one unknown, which is probably is in that category, unknown unknowns. instantly the unknown unknown because you don't know about and you. but it's the middle category you know that there's a big problem, but you don't know exactly where it is, and you have only kind of nascent ideas about how to address. that's why i'm going to turn to
11:51 am
you, a large group of smart, distance people to try to help me out. so there are three parts to the recipe about this problem that i have identified by talking about. the first is it's increasingly easy using either commercially or freely available technology, to identify vulnerabilities and industrial control the system. for example, without naming the name of one particular website, there's a group of capability where you can go and you can identify vulnerabilities on the public internet of industrial control systems. that to me is scary because you don't need special is now strategically to go do something that is available on the public web, putting something industrial control system for this location, this type of system, and see what's there. because this all starts of course with finding the vulnerability. secondly, there's a growing black market for groups and individuals who are willing to produce, for money, destructive malware.
11:52 am
this is a big problem. malware is very difficult to track. it's not that difficult to construct, and combined with the third point of this recipe, which is a growing demand for destructive malware from both group and nationstates, you put all those three things together and you can see why this was makes someone like me extremely nervous. now, this is a hard problem. when your nation is pretty policy you are used to be with heart problems, and the fact that's what attracted me to the space, heart problems, and electric challenging and then trying to do something about in government nowadays is even more challenging. this is a hard problem that is even more difficult than some of the most difficult we had in past. so one of my mentors as i have gone to school and taught, graham allison. i think you all know about graham allison. one of the books he wrote is called nuclear terrorism. one of his most well-known books. he goes by the idea of a suitcase size nuclear bomb or weapon could be smuggled into
11:53 am
new york or any city and detonated and go off. so i'll tell you, in some ways that's a good analogy but very often nowadays as soon as people start to talk about nukes as an analogy to cyber, i think they probably don't know what you're talking about because as someone who probably came up with a cold war way of thinking and it's an analogy that if it is almost always false. this is another example of why it's false. loose noose is an easy problem compared to constrain the flow of destructive malware from black market. why? personal loose noose produced almost entirely to every that i know by nationstates. second of all, they give off a signature, right? there's radiation ways you can attract them and it's a physical thing like don't do the obvious but it's something you can track. those are not all the same situation when you come to distrust of malware, which can be produced by an individual which doesn't exist as a physical thing, and passes over
11:54 am
borders in a way that is nearly if not completely impossible to track. okay, so i think that i have kind of set up the problem. and so in the four-part series were i set up the problem, i can go due to talk about that a little bit more. i'm going to give you a little bit about what i think the role is in this problem and get more answers from y'all. i'm going to go back out to you right now to get some interest. so i'll put on general alert, whoever is in the back left corner of the room in my class or any speech always gets called on first. so it looks like that very lucky person is this cut in kind of a light blue shirt, greater. that guy right there. yes, you just got fingered. okay, serve, tell me, tell me, and someone will run, you've got to run, run, there we go. what's your initial reaction to my framing of this problem?
11:55 am
>> we are in a lot of trouble. >> were in a lot of trouble, okay. so one of the things which prepare for for cyber issue or not overhyping a problem that may just be -- >> we will leave this discussion here to return live now to the confidant government cybersecurity. keynote speakers for the luncheon our homeland security official suzanne sullivan being introduced now, and andy kaufman was the senior director for cybersecurity. this is life coverage just getting underway on c-span2. >> possible for pulling this impressive gathering together and what looks like a terrific agenda. sounds like you had a great morning, and it looks like you have a terrific afternoon. and it is a real pleasure for me to be able to be here today to have this conversation with you. and i do hope that this will be a conversation. i want to encourage you to send comments and questions as i'm
11:56 am
speaking to the e-mail address so that we can, so that i can hear your thoughts and your questions and/or concerns or because it is only through a true collaboration, and a real dialogue, that we are going to be able to develop the kinds of innovative solutions that we will need to address the significant challenge of ensuring the security and resilience of our nation's critical infrastructure. i love the title of this conference, 18 has to act of resilience. i love the emphasis on team because that is certainly at dhs, something we spend each and every day focused on. the whole of government, whole of community approach, so working carefully across the interagency with our fellow departments and agencies at the federal level, but also very
11:57 am
much with our state local territorial and tribal partners. and then, of course, with our private sector stakeholders, and particularly for us the critical infrastructure owners and operators who commune, the private sector who owns the overwhelming percentage of our 85%, the% that's always been talked about for decades now, of our critical infrastructure. we cannot meet this challenge without a true collaboration in which we bring all of our knowledge, expertise, resources and capabilities in a very much in a team of way around the table. i also love the emphasis on resilience. because that is again something we've been pushing, i think when we first started looking at critical infrastructure protection common you know, back in the mid 90s, and certainly with a renewed emphasis after 9/11, there was this notion, a lot of circles, of security of
11:58 am
critical infrastructure being all about, you know, the protective shell, as if we put in a sealed tube and protect it from any harm or danger. and i think coming around to a more sophisticated notion of the importance of resilience has been a really important progress, and maturation come in our approach to critical infrastructure. and so i was really pleased to see that emphasized in its title. critical infrastructure, as you all know, but as i talk around the country and go to speak to groups, i often have to kind of explain what we mean by critical infrastructure. and remind people that what we are really talking about is not just the infrastructure that a lot of americans think in terms of our roads and bridges, which is critically important, but about all of those goods and services and networks, as a system that under gird, provide
11:59 am
the foundation and enable our ways of life. and so i talk about when you get up in the morning and you flip the light switch, that the lights going. you go into pressure to end your turn the faucet and the water comes out. and to go to get on whatever transportation to get to work and you are able to get on that bus or drive on the highway, you're able to get the gasoline when you stop it when you get to work you can plug in your computer. all those things that we take for granted are what we are talking about, obviously, we talk about critical interest which. aptly crucial. and that is our focus. ..

U.S. Senate
CSPAN February 22, 2013 9:00am-12:00pm EST


TOPIC FREQUENCY China 32, U.s. 28, Us 25, Burma 7, United States 7, Afghanistan 6, Mr. Rosenbach 5, Honduras 5, Cyberspace 5, Clinton 4, Dhs 4, Syria 4, John Reed 3, Brett Williams 3, Southeast Asia 3, Russia 3, Iran 3, Hhs 2, Graham Allison 2, Eric Rosenbach 2
Network CSPAN
Duration 03:00:00
Scanned in San Francisco, CA, USA
Source Comcast Cable
Tuner Channel 17 (141 MHz)
Video Codec mpeg2video
Audio Cocec ac3
Pixel width 704
Pixel height 480
Sponsor Internet Archive
Audio/Visual sound, color

disc Borrow a DVD of this show
info Stream Only
Uploaded by
TV Archive
on 2/22/2013